Analysis Overview
SHA256
41b26be773334532c62a77819bc8a898d796ea48fbc2f4fe9363102aab5a6a8d
Threat Level: Known bad
The file 41b26be773334532c62a77819bc8a898d796ea48fbc2f4fe9363102aab5a6a8d was found to be: Known bad.
Malicious Activity Summary
Healer
Healer family
RedLine payload
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
Redline family
Executes dropped EXE
Windows security modification
Checks computer location settings
Adds Run key to start application
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 01:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 01:54
Reported
2024-11-07 01:57
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku328365.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCK1572.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku328365.exe | N/A |
| N/A | N/A | C:\Windows\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr449728.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\41b26be773334532c62a77819bc8a898d796ea48fbc2f4fe9363102aab5a6a8d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCK1572.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku328365.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\41b26be773334532c62a77819bc8a898d796ea48fbc2f4fe9363102aab5a6a8d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCK1572.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku328365.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr449728.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku328365.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\41b26be773334532c62a77819bc8a898d796ea48fbc2f4fe9363102aab5a6a8d.exe
"C:\Users\Admin\AppData\Local\Temp\41b26be773334532c62a77819bc8a898d796ea48fbc2f4fe9363102aab5a6a8d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCK1572.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCK1572.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku328365.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku328365.exe
C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1492 -ip 1492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1504
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr449728.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr449728.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp | |
| FI | 77.91.124.145:4125 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCK1572.exe
| MD5 | 1a9dfb0772cac173137ef8d701457b12 |
| SHA1 | bfd97e5138217670ddf23b002b012b778a4337e3 |
| SHA256 | ea272967da81378df5d85b4e819a1a5dc9ef69ee232fa6b6a72e66082d29cad8 |
| SHA512 | 8d50a438d6706f509367ab95e98d970e444251ef08921ee26739aded3414ceb07825b5d0dbefcfd47bf228551e0985addf7cd488a8a55461e3dd8e7c798af678 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr018504.exe
| MD5 | e6561b247a367a3d4e4ebb404f832be9 |
| SHA1 | 674172978de7769ae7b643bd2c8ef9355501e829 |
| SHA256 | 7e3aaf17ab0f01cbd135783e175554045e49b2cee0050ec03ec2015d0fadff9a |
| SHA512 | 399354f00fdb2ca8376e2628b70c6f33ed1128a6c88d7662cc70493e43a6253f049179315bb2f60d5f8ec8630114c3ce5abfd0ce89fdbfabeb6de12073b278d5 |
memory/2852-14-0x00007FFD0B4A3000-0x00007FFD0B4A5000-memory.dmp
memory/2852-15-0x0000000000520000-0x000000000052A000-memory.dmp
memory/2852-16-0x00007FFD0B4A3000-0x00007FFD0B4A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku328365.exe
| MD5 | faf686369c264d1341d7eb8e83231977 |
| SHA1 | a678beb0ac301687ff5b832be5b15be33163f74d |
| SHA256 | 13e77c2656c1f4c9fbb67065d32225e390148a78786fdc6125d11f5711487203 |
| SHA512 | b59d1a3e1264778490dccc63047b25b9b95086997e51bf2ee0bdf00a6c2987269a6da40da37f67fa9c850e8b399bda0f01b20d8dd2548ac1a0329c49945c342c |
memory/1492-22-0x0000000002410000-0x0000000002476000-memory.dmp
memory/1492-23-0x0000000004C10000-0x00000000051B4000-memory.dmp
memory/1492-24-0x00000000051C0000-0x0000000005226000-memory.dmp
memory/1492-38-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-42-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-88-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-86-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-84-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-82-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-80-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-78-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-76-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-74-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-72-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-68-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-66-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-65-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-62-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-60-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-59-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-54-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-52-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-50-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-48-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-46-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-44-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-40-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-36-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-34-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-32-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-30-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-28-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-70-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-56-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-26-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-25-0x00000000051C0000-0x000000000521F000-memory.dmp
memory/1492-2105-0x0000000005400000-0x0000000005432000-memory.dmp
C:\Windows\Temp\1.exe
| MD5 | 1073b2e7f778788852d3f7bb79929882 |
| SHA1 | 7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4 |
| SHA256 | c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb |
| SHA512 | 90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0 |
memory/3880-2118-0x0000000000290000-0x00000000002C0000-memory.dmp
memory/3880-2119-0x0000000002280000-0x0000000002286000-memory.dmp
memory/3880-2120-0x0000000005230000-0x0000000005848000-memory.dmp
memory/3880-2121-0x0000000004D20000-0x0000000004E2A000-memory.dmp
memory/3880-2122-0x0000000004C10000-0x0000000004C22000-memory.dmp
memory/3880-2123-0x0000000004C70000-0x0000000004CAC000-memory.dmp
memory/3880-2124-0x0000000004CC0000-0x0000000004D0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr449728.exe
| MD5 | 30ce373e75bfb72b5d8dca289f67ebe5 |
| SHA1 | c3df88c1f1136a3ceeb2ffd195d9168c4b063a88 |
| SHA256 | b8995c0bb57e0ea9661b16203ddd00c2e3cce08b70660942fb531a33afd03f44 |
| SHA512 | d7fe9f3dcfd1740f4ebf56207c9a02c9ecbd3e3ae00c1c6288cac6e207eb15e6a2177347c8fddf39e5cee7c07067b9ad83c03e3d3c0da578ded2e09df9319482 |
memory/5400-2129-0x0000000000010000-0x0000000000040000-memory.dmp
memory/5400-2130-0x0000000002210000-0x0000000002216000-memory.dmp